ThirdMirrors
/
acme.sh
mirror of https://gitee.com/Hawkin99/acme.sh.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Make the process of renewal easier and make sure that the DSM Security Advisor does not complain about a security risk when using custom cronjob.

m-boone 2018-10-10 18:34:50 +02:00
parent 2449c7c485
commit 56e3f4f8df
1 changed files with 6 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Synology-NAS-Guide.md

@ -61,24 +61,13 @@ Now you can check the DSM control panel - Security - Certificates to see the nom
If you see the Lets Encrypt certificate but it's not being used by DMS yet assign the "system default" service to another certificate (create a self signed one if needed) and after the webserver has restarted assign the "system default" service back to the Lets Encrypt certificate. After the webservice has restarted DSM will be using the lets encrypt certificate.
## Configuring Certificate Renewal
To auto renew the certificates in the future, you need to configure the cronjob. However, acme.sh seems not properly add tasks to Synology crontab. You have to do this manually.
Configure crontab for root
$ vim /etc/crontab
Add the following line to the crontab. Remember to use tab for spacing.
For example, 10:00 am of the 2nd day every month run the cronjob to check if due to renew the certificates (You can modify the cronjob schedule according to your needs)
0 10 2 * * root /usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/
If using the alternate method from above, the last step is to setup a schedule task to copy renewed certificates in cert library to system default directory and restart the Nginx service.
To auto renew the certificates in the future, you need to configure a task in the task scheduler. It is not advised to set this up as a custom cronjob (as was previously described in this wiki page) as the DSM security advisor will tell you that you have a critical warning regarding unknown cronjob(s).
In DSM control panel, open the 'Task Scheduler' and create a new scheduled task for a user-defined script.
* General Setting: Task - Update default Cert. User - root
* Schedule: Setup the time according to your acme.sh crontab schedule. For example, 11:00 am of the 2nd day every month.
* Task setting: User-defined-script:
* Schedule: Setup a monthly renewal. For example, 11:00 am of the 2nd day every month.
* Task setting: User-defined-script **(modify where needed!)**:
```
# Note: The $CERT_FOLDER must be hardcoded here since the running environment is unknown. Don't blindly copy&paste!
@ -92,6 +81,9 @@ CERTROOTDIR="/usr/syno/etc/certificate"
PACKAGECERTROOTDIR="/usr/local/etc/certificate"
FULLCERTDIR="$CERTROOTDIR/$CERTDIR"
# renew certificates, this used to be explained as a custom cronjob but works just as well within this script according to the output of the task.
/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/
# find all subdirectories containing cert.pem files
PEMFILES=$(find $CERTROOTDIR -name cert.pem)
if [ ! -z "$PEMFILES" ]; then